Revision as of 10:57, 17 November 2006

Brief Summary

The Data base listener is a network daemon unique to Oracle databases. It waits for connection requests from remote clients.
This daemon can be compromised and hence affect the availability of the database.

Description of the Issue

The DB listener is the entry point for remote connections to an Oracle database. It listens for connection requests and handles them accordingly. This test is possible, if the tester can access to this service: that means the test will be done from the Intranet (in normal Oracle installation this service is not exposed to the external network...we hope so!)
The listener by default listens on port 1521, it is good practice to change the listener from this port to another arbitary port number.
If this listener is "turned off" remote acess to the database is not possible. If this is the case ones application would fail also creating a denial of service attack. Potential areas of attack:

Stop the Listener - Hence creating a DoS attack.

Set a password and prevent others from controlling the Listener - Hijack the DB.

Obtain detailed information on the Listener, database, and application configuration.

Black Box testing and example

Upon discovering the port on which the listener resides one can assess the listener by running a tool developed by Integrigy:

The tool above checks the following:Listener Password
On many Oracle systems the listener password may not be set. The tool above verifies this.
If the password is not set an attacker could set the password and hijack the listener, albeit the password can be removed by locally editing the Listener.ora file.

Enable Logging
The tool above also tests to see if logging has been enabled. If it has not one would not detect any change to the listener/or have a record of it and also detection of brute force attacks on the listener would not be audited.

Admin Restrictions
If Admin restrictions are not enabled it is possible to use the "SET" commands remotley.

Example
If you find a TCP/1521 open port on a server, maybe you have an Oracle Listener that accept connections from the outside. If the listener is not protected by an authentication mechanism, or you can find easily a credential (as said above), it is possible to exploit this vulnerability to enumerate the Oracle services. For example, using LSNRCTL(.exe) (contained in every Client Oracle installation), you can obtain the following output:

In this case, we have not founded privileged DBA accounts, but OUTLN and BACKUP accounts hold a foundamental privilege: EXECUTE ANY PROCEDURE. That means that it is possible to execute every procedures, for exemple the following:

exec dbms_repcat_admin.grant_admin_any_schema('BACKUP');

The execution of this command permit to obtain DBA privileges. Now the user can interact directly with the DB and execute for example:

select * from session_privs ;

The output is the following screenshot:

So the user can now execute a lot of operations, in particular:
DELETE ANY TABLE
DROP ANY TABLE.